Your argument requires that sneaking in a keylogger be easy.  It’s not easy at all.

You can’t know the answer to that because there is no legal obligation to provide you with that information.

Justify your statement. 

That’s only even possibly true when passwords are weak, guessable, or subject to brute force attack. The sad truth is I know one bank which limits passwords to 14 characters in length. I’m guessing that’s because any longer would be “too long to remember” - (face palm).

A recent phone conversation with my bank after they deactivated my password which I only discovered by trying to login: